General Data Protection Regulation (GDPR)


The General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act (Cap 586) regulate the processing of personal data whether held electronically or in manual form. The Institute for Education is set to fully comply with the Data Protection Principles as set out in such data protection legislation.

The Data Controller

The Data Controller of the Institute is the Chief Executive Officer within the Institute for Education  who may be contacted at:
The Institute for Education
Martin Luther King Road,
Pembroke, PBK 1990
Telephone Number:  2598 2034

The Information and Data Protection Commissioner

The Information and Data Protection Commissioner may be contacted at:

Level 2, Airways House,
High Street,
Sliema  SLM 1549
Telephone Number:  23287100 

Email:  [email protected]



The GDPR has been introduced to:

  • better reflect the data protection challenges arising in the digital age
  • modernise data protection arrangements to make organisations more accountable
  • give individuals greater control over their own personal data
  • address globalisation and harmonise data protection practice across Europe

What’s new

The GDPR is similar to the Data Protection Act (Cap 440) and introduces many changes to data protection practices. These require the Institute for Education to review and revise all approaches to data handling. Key changes include:

  1. tougher financial penalties – fines of up to €20 million
  2. strong rules around record keeping and new financial penalties for not being able to evidence accountability for our processes – fines of up to €10 million
  3. a more stringent data breach notification process only 72 hours from detection to notify a data breach to the ICO
  4. a broader definition of personal data
  5. a new approach to consent, freely given positive opt-in and easy to withdraw
  6. new and expanded rights including a right to erasure and data portability
  7. a reduced timeframe for handling Subject Access Requests – from 40 days down to 1 month, and the DPA £10 fee is no longer applicable
  8. mandatory privacy impact assessments for new services/projects where risks are high
  9. more restrictive rules around the use of child data
  10. revised processes for international data transfers
  11. a requirement for large organisations to appoint a Data Protection Officer.


Personal data
Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular in reference to an identifier such as name, an identification number location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Special categories of personal data
This used to be called “sensitive personal data” under Data Protection Act (Cap 440), and now includes:

  1. racial or ethnic origin
  2. political opinions
  3. religious or philosophical beliefs
  4. trade union membership
  5. health
  6. the processing of genetic data, biometric data for the purpose of uniquely identifying a person
  7. sex life or sexual orientation

Criminal convictions or alleged offenses ​​
In a shift from the previous Data Protection Act, this is not classed as “sensitive personal data’, but is covered in the GDPR Article 10 and is treated by the Institute for Education as high-risk personal information.​


The General Data Protection Regulation (GDPR) introduces six principles. These are that personal data must be: 

  1. processed lawfully, fairly and in a transparent manner in relation to individuals
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Source: GDPR, Article 5.


Under the GDPR, a lawful basis needs to be identified and documented before data is processed. This is important as the lawful basis chosen will have a strong effect on an individual’s rights e.g. where the University relies on consent to process data, an individual will have additional rights.

The rules around obtaining and evidencing consent are stricter than previously. The below is a checklist to help organisations gather, record and manage consent in line with the new requirements under the GDPR.

This provides a useful starting point for all Institute employees in planning any changes needed to their personal data processes.

Asking for consent

  1. We have checked that consent is the most appropriate lawful basis for processing.
  2. We have made the request for consent prominent and separate from our terms and conditions.
  3. We ask people to positively opt in.
  4. We don’t use pre-ticked boxes, or any other type of consent by default.
  5. We use clear, plain language that is easy to understand.
  6. We specify why we want the data and what we’re going to do with it.
  7. We give granular options to consent to independent processing operations.
  8. We have named our organisation and any third parties.
  9. We tell individuals how they can withdraw their consent.
  10. We ensure that the individual can refuse to consent without detriment.
  11. We don’t make consent a precondition of a service.
  12. If we offer online services directly to children, we only seek consent if we have age-verification and parental-consent measures in place

Recording consent

  1. We keep a record of when and how we got consent from the individual.
  2. We keep a record of exactly what they were told at the time.

Managing consent

  1. We regularly review consents to check that the relationship, the processing and the purposes have not changed.
  2. We have processes in place to refresh consent at appropriate intervals, including any parental consents.
  3. We consider using privacy dashboards or other preference-management tools as a matter of good practice.
  4. We make it easy for individuals to withdraw their consent at any time, and publicise how to do so.
  5. We act on withdrawals of consent as soon as we can.
  6. We don’t penalise individuals who wish to withdraw consent.
Skip to content